Default hash

Aaron Toponce aaron.toponce at gmail.com
Thu Feb 24 22:28:43 CET 2011


On Thu, Feb 24, 2011 at 10:32:11AM -0500, Daniel Kahn Gillmor wrote:
> On 02/24/2011 04:03 AM, Doug Barton wrote:
> > You're using a 1024 bit DSA key, which won't allow for 256 bit hashes.
> > RIPEMD-160 is the largest you can use, and works well for that kind of key.
> 
> This isn't actually the case.  Aaron's primary key (0x8086060F) is
> indeed 1024-bit DSA, but his mail is signed with a 2048-bit RSA subkey
> (0xFC04088F), which is perfectly capable of using the stronger digests.

I just ran 'setpref' without any arguments, and it told me that SHA256
would be the default signing algorithm. So, when attempting at doing the
signatures, I found SHA1 was coming out.

In the past (and now future), I signed all my mail with SHA512, just
because I can. The message that started this thread, however, is signed
with SHA1, as I wanted to show what was happening (run 'gpg -v
--list-packets' on the sig). I didn't want to break from the defaults
that GnuPG provided.

Due to my 1024-bit DSA key, it appears that RIPEMD-160, SHA1 and MD5 are
my only options for signatures. So, with my 2048-bit RSA subkey, I can
use all the sHA2 hashes. I had just thought that with the recent update
of GnuPG, the SHA2 hashes were available to my DSA key as well.

No worries. I'll stick with the non-default prefs in my
~/.gnupg/gpg.conf.

-- 
. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 527 bytes
Desc: Digital signature
URL: </pipermail/attachments/20110224/d7de06ed/attachment.pgp>


More information about the Gnupg-users mailing list